[Samba] Share permission problem if user is member in more than 16 groups on AD
marcis.lielturks at gmail.com
Wed Jul 14 15:26:05 MDT 2010
Thanks, machine wont provide NFS or ssh login services, so fiddling with max
groups should do no harm!
I googled a bit at found that samba should be recompiled to take advantage
of new NGROUPS_MAX. "./configure" logs also suggested that NGROUPS_MAX is
evaluated only at compile time.
Can anybody share experience on compiling samba on OpenSolaris? What's the
most painless way? I'm considering to use latest 3.5.5 but maybe I should
use same version Sun (Oracle) is using - 3.0.37? I have to set up Samba on 2
servers, which already replicate storage, so ID mapping must be consistent
between both Samba servers. Servers have to provide shares also to trusted
domains, but 3.0.37 doesn't have idmap_hash and seems that idmap_rid is not
supported to provide mappings for more than one domain, so anything newer
than 3.0.37 sounds like the right choice.
On 14 July 2010 19:46, Gaiseric Vandal <gaiseric.vandal at gmail.com> wrote:
> Here is the catch (at least for some people.)
> This can break NFS stuff. On my PDC I made a similar change. Home
> directories are not on the PDC. This fixed the problem of people getting
> login failures when logging into windows if they had more than 16 groups.
> But if a user tries to ssh into the PDC, and he is in more than 16 groups,
> his login will fail because the home directory can not be mounted. But if
> your samba server is not functioning as an nfs client then it shouldn't be
> an issue.
> My PDC is samba 3.4.x. The BDC's are 3.0.x. Samba 3.0.x domain
> controllers didn't check if your Windows groups exceeded the system group
> max. You could login- you might not have all the access to directories
> you thought you should since your effective group list was still getting
> With Samba 3.4.x, samba checks to see how may groups you are in, and if the
> exceeds the ngroups_max it aborts your login. I don't know why. It isn't
> like it is fixing a security hole. It just gets people mad at me.
> On 07/14/2010 07:39 AM, Marcis Lielturks wrote:
>> Running OpenSolaris snv_134 with Samba 3.0.37. Samba is successfully
>> joined to AD domain. AD user "user1" is member in 17 AD groups including
>> "group1", but he cannot access Samba share which have read permissions for
>> "group1". If user account is modified and "group1" becomes users primary
>> group, then he can access shares. If user is member of only 16 groups, then
>> permissions work as expected regardless of users primary group.
>> Operating systems "ngroups_max" is set to 1024. I tested with local user
>> and was able to add user to 1024 local groups.
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
More information about the samba